Enterprise ready Security

Collaborate and grow securely on the Cloud

Aeegle Cloud Platform is built on top of Google security foundations relaying hardware provisioning, data security, high availability on the leader of Cloud Infrastructure. Google has a global scale technical infrastructure designed to provide security through the entire information processing lifecycle. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.

The security of the infrastructure is designed in progressive layers starting from the physical security of data centers, continuing on to the security of the hardware and software that underlies the infrastructure, and finally, the technical constraints and processes in place to support operational security.

Google uses this infrastructure to build its internet services, including both: consumer services such as Search, Gmail, Youtube and Photos and enterprise services such as G Suite and Google Cloud Platform.

Encryption at rest
Encryption at rest by default, with various key management options

Data stored in Google Cloud Platform is encrypted at the storage level using either AES256 or AES128. Google uses several layers of encryption to protect customer data at rest in Google Cloud Platform products, encrypting customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms. The data stored is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with key encryption, keys that are exclusively stored and used inside Google’s central Key Management Service, which is redundant and globally distributed.

Google uses a common cryptographic library, Keyczar, to implement encryption consistently across almost all Google Cloud Platform products. Because this common library is widely accessible, only a small team of cryptographers needs to properly implement and maintain this tightly controlled and reviewed code.https://cloud.google.com/security/encryption-at-rest/

Secure Internet Communication
In this section we turn to describing how we secure communication between the internet and these services. Google infrastructure consists of a large set of physical machines which are interconnected over the LAN and WAN and the security of inter-service communication is not dependent on the security of the network.

However, Google do isolate its infrastructure from the internet into a private IP space so that we can more easily implement additional protections such as defenses against denial of service (DoS) attacks by only exposing a subset of the machines directly to external internet traffic.

Google Front End Service
When a service wants to make itself available on the Internet, it can register itself with an infrastructure service called the Google Front End (GFE). The GFE ensures that all TLS connections are terminated using correct certificates and following best practices such as supporting perfect forward secrecy. The GFE additionally applies protections against Denial of Service attacks (which we will discuss in more detail later). The GFE then forwards requests for the service using the RPC security protocol discussed previously.

Denial of Service (DoS) Protection
The sheer scale of our infrastructure enables Google to simply absorb many DoS attacks. That said, we have multi-tier, multi-layer DoS protections that further reduce the risk of any DoS impact on a service running behind a GFE.

After GCP backbone delivers an external connection to one of our data centers, it passes through several layers of hardware and software load-balancing. These load balancers report information about incoming traffic to a central DoS service running on the infrastructure. When the central DoS service detects that a DoS attack is taking place, it can configure the load balancers to drop or throttle traffic associated with the attack.https://cloud.google.com/security/security-design/

Securing data in transit
Data is vulnerable to unauthorized access as it travels across the Internet or within networks. For this reason, securing data in transit is a high priority for Google. The Google Front End (GFE) servers mentioned previously support strong encryption protocols such as TLS to secure the connections between customer devices and Google’s web services and APIs. Cloud customers can take advantage of this encryption for their services running on Google Cloud Platform by using the Google Cloud Load Balancer. The Cloud Platform also offers customers additional transport encryption options, including Google Cloud VPN for establishing IPSec virtual private networks.

Compliance & Certifications

Aeegle Cloud Platform is built on top of Google Security foundations, Google undergoes several independent third party audits on a regular basis to provide this assurance. This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations. Google has annual audits for the following standards:

ISO/IEC 27001 (also known as ISO 27001) is the international standard that describes best practice for an information security management system (ISMS), a systematic approach to managing confidential or sensitive corporate information so that it remains secure.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card brands including Visa, MasterCard, American Express, Discover, and JCB. Private label cards –those without a logo from a major card brand are not included in the scope of the PCI DSS.

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services